Apple Laptop Hack Disables Batteries, Researcher to Show How at Black Hat

By Fahmida Y. Rashid |
Posted 2011-07-25

At the upcoming Black Hat
security conference, a security researcher will demonstrate how he hacked the
chips in laptop batteries to corrupt them beyond repair.

Charles Miller, a principal
research consultant at Accuvant Labs, was able to take over chips inside the
batteries powering several of Apple's popular laptop brands and
"brick" them. Miller is widely known for his work on Mac OS X and
Apple's iOS vulnerabilities.

As a result, Miller can
overwrite battery management firmware to completely disable the batteries on
Apple laptops to the point that the computer no longer recognizes them as valid
battery units. At this point, his method can be used to launch attacks that are
more of a costly annoyance than threat to data on the machines. Malicious
attackers will have to do some more work to create malware that can use the
batteries as an attack vector to infect the actual machine itself, Miller said.

"What I'm showing is that
it's possible to use them to do something really bad," Miller told Forbes.

Most modern laptop batteries
come with a microcontroller that monitors the power level of the unit and sends
the information to the operating system so that it can keep track of the amount
of charge left. The battery also relies on the chip to know when to stop
recharging and to regulate how hot it gets during operation.

Miller examined MacBooks,
MacBook Pros and MacBook Airs, and found that many of the batteries on those
units had a 4-byte default password hard-coded on the microchips inside and a
second password to give full access to the hardware firmware. With the two
default passwords in hand, the perpetrator could rewrite the chips' firmware.
Miller discovered the passwords after analyzing a software update from 2009
from Apple that addressed an issue with MacBook batteries. He was able to
reverse-engineer the chip's firmware and modify the power information it sent
to the operating system. He was also able to rewrite the firmware.

The ability to access and
send instructions to the chip could be used by other attackers for malicious
purposes, such as preloading malware on to the chip, according to Miller. Once
the attacker figures out a way to go from the battery to the operating system,
battery-based malware could be used to infect the computer and steal data, take
control of the laptop or cause it to crash whenever it was in operation, Miller
said.

When faced with this kind of
malware, IT administrators and users will wipe the hard drive, reinstall
software and reinstall the BIOS firmware, but not think to check the battery's
firmware, according to Miller. "Every time it would reattack and screw you
over," Miller said, noting the only way to eradicate or detect it would be
by removing the battery.

"These batteries just aren't
designed with the idea that people will mess with them," Miller said.

On Aug. 4, the second day of
the Black Hat conference in Las Vegas, Miller will demonstrate his hack and
release a fix, "Caulkgun," to address the issue. He said he had
already shared his research with Apple and Texas Instruments.

The Caulkgun program Miller
will release would change the battery firmware's passwords to a random string
so that it would no longer be the default password. Installing this program
would also mean that if Apple decides to roll out an update in the future to
fix battery issues, that update would fail.

The hard-coded
default password has long been a problem, as there are a number of devices
that ship from the factory with passwords that can't be changed. Stuxnet
compromised the centrifuges at Iran's nuclear facility in 2010 by using the
default password assigned to all logical controllers from Siemens.

While Miller's research seems
to indicate that malware authors can target batteries next, it is not a bigger
threat than any other possible hardware-based attacks, according to Paul
Ducklin, Sophos' head of technology for the Asia-Pacific region. Apple laptop
batteries are not the new attack vector any more than "any other hardware
in your system with field-updatable firmware," such as the motherboard,
wireless card, graphics device and others, Ducklin wrote on the company's NakedSecurity
blog

Ducklin also noted that
malicious authors have re-written firmware on hardware devices in the past. In
the late 1990s, there was a virus named CIH, or Chernobyl, which re-flashed the
BIOS on infected systems on April 26, causing the machine to hang. "No
malware ever appeared in the wild to do more than simply 'brick' an affected
PC's BIOS," Ducklin said, noting that most personal computer BIOSes still
aren't protected from this kind of attack.